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Abstract.  We  introduce  a  novel  binary  operation  on  specifications.  The  most  abstract 
common  refinement  (m.a.c.r.)  of  two  specifications  P\  and  P2  is  the  most  abstract 
specification  that  refines  both  Pj  and  P 2.  We  define  the  m.a.c.r.s  of  w-automata  and 
of  linear  temporal  formulae.  The  m.a.c.r.  operation  supports  a  two-dimensional  system 
design  process  that  combines  structural  decomposition  with  stepwise  refinement.  As  an 
example,  we  design  and  verify  a  watch  in  several  steps,  each  of  which  simultaneously 
integrates  and  refines  two  partial  specifications  of  the  watch. 


The  divide-and-conquer  approach  to  system  development  requires  that  the  task  of  designing  a 
large  system  be  decomposed  into  subtasks.  There  are  two  avenues  of  decomposition  that  have 
been  pursued.  The  horizontal  ( static ,  structural )  decomposition  divides  the  problem  of  designing 
a  large  system  into  several  simpler  problems  of  designing  manageable  subsystems.  Horizontal 
decompositions  of  the  design  process  are  often  labelled  as  “modular  (compositional)  design”  [AL89, 
dR85,  FFG91,  Jon83,  Lar90,  Pnu85].  The  vertical  ( dynamic ,  temporal )  decomposition  divides  the 
problem  of  designing  a  large  system  into  several  simpler  problems  of  gradually  transforming  an 
abstract  specification  into  a  concrete  system.  Vertical  decompositions  of  the  design  process  are 
often  labelled  as  “stepwise  refinement”  [AL88,  Bac89,  CM88,  Dij76,  Jon89,  Lyn89,  WLL88,  Wir71]. 

We  present  a  formal  framework  that  combines  both  approaches  and  allows  the  two-dimensional 
decomposition  of  the  design  process.  Starting  from  a  collection  of  system  requirements,  each  of 
which  describes  the  entire  system  (not  just  a  structural  component),  we  apply  a  tree-like  process 
of  simultaneously  integrating  and  refining  the  initial  requirements  into  the  desired  system.  Each 
step  of  the  process  computes  the  so-called  most  abstract  common  refinement  (m.a.c.r.)  of  two 
partial  system  descriptions  Pi  and  P2,  namely,  a  system  description  that  is  more  concrete  than 
both  Pi  and  P2,  but  not  unnecessarily  so.  The  m.a.c.r.  thus  combines  horizontal  decomposition 
(“common”)  with  vertical  decomposition  (“refinement”)  in  a  way  (“most  abstract”)  that  yields  a 
mathematically  complete  system  design  strategy. 

Moth  parallel  composition  (horizontal)  and  standard  refinement  (vertical)  are  shown  to  be  spe¬ 
cial  cases  of  m.a.c.r.  (two-dimensional):  parallel  composition  combines  two  descriptions  of  system 
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parts  that  are  given  at  the  same  level  of  detail;  standard  refinement  combines  two  system  de¬ 
scriptions  that  are  given  at  different  levels  of  detail;  m.a.c.r.,  in  general,  combines  two  system 
descriptions,  each  of  which  describes  different  parts  of  the  system  at  different  levels  of  detail. 

In  Section  1,  we  define  the  m.a.c.r.  operation  on  system  descriptions  (specifications)  independent 
of  any  particular  formalism.  In  Section  2,  we  show  that  an  m.a.c.r.  operation  on  states  and  actions 
induces  an  m.a.c.r.  operation  on  behaviors  (infinite  sequences  of  states  and  actions)  and  properties 
(sets  of  behaviors).  Sections  3  and  4,  then,  study  the  m.a.c.r.  operation  in  two  specific  trace-based 
formalisms.  First,  we  compute  m.a.c.r.s  of  automata;  then,  we  introduce  a  temporal  logic  with 
an  m.a.c.r.  operator.  We  illustrate  the  application  of  m.a.c.r.s  in  both  formalisms  by  the  stepwise 
design  and  verification  of  a  watch  that  operates  in  several  modes. 

1  The  Most  Abstract  Common  Refinement 

A  specification  formalism  (£,  C,  1)  consists  of 

(1)  the  specification  language  £ — a  set  of  specifications; 

(2)  the  refinement  ( satisfaction ,  implementation)  relation  C — a  preorder  on  £;  and 

(3)  the  empty  ( inconsistent )  specification  J_ — a  unique  bottom  element  of  (£,II). 

Typical  examples  of  specification  formalisms  are  the  set  of  process  terms  with  simulation,  the  set  of 
automata  with  language  inclusion,  and  the  set  of  linear  temporal  formulae  with  logical  implication. 

A  specification  formalism  (£,C,±)  supports  the  design  (refinement,  implementation)  of  sys¬ 
tems.  Suppose  that  the  desired  properties  of  a  system  are  given  as  a  list  Pi,...,Pn  6  £  of  re¬ 
quirements.  The  desired  system,  then,  is  a  nonempty  common  refinement  Pi . n  6  £  of  all  n 

requirements: 

(1)  Pi . n  ^  T  and 

(2)  for  all  1  <  i  <  n,  Pi . nCP„ 

A  refinement  strategy  is  a  procedure  that,  given  the  list  of  requirements,  constructs  a  common 
refinement.  The  refinement  strategy  is  complete  if  it  finds  a  nonempty  common  refinement  of  the 
requirements  whenever  such  a  refinement  exists  (otherwise,  the  strategy  returns  x). 

A  refinement  strategy  is  stepwise  ( incremental )  if  it  constructs  a  common  refinement  of  n 
specifications  by  repeatedly  computing  common  refinements  of  two  specifications.  For  example, 
we  may  first  find  a  common  refinement  Pi,2  of  Pi  and  P?,  then  a  common  refinement  of  Pi,o 
and  P3,  etc.  A  stepwise  refinement  strategy  consists,  therefore,  of  a  control  structure — a  binary 
tree  whose  leaves  are  labelled  with  the  initial  requirements  P\,...,Pn  and  whose  root  is  labelled 
with  the  resulting  system  Pi,...,n — and  an  algorithm  for  computing  a  common  refinement  of  two 
specifications.  Stepwise  refinement  strategies  have  two  advantages.  First,  the  complexity  of  each 
step  is  more  manageable  than  the  overall  problem.  Second,  if  at  a  later  time  we  h  to  add  a 
new  requirement  Pn+i,  the  system  Pi,...,n  can  be  updated  incrementally  by  computing  a  common 
refinement  of  Pif...t„  and  Pn+i- 

If  a  stepwise  refinement  strategy  introduces,  at  any  step,  unnecessary  constraints,  then  the 
strategy  is  not  complete.  Thus,  to  define  complete  stepwise  refinement  strategies,  we  are  led  to  the 
notion  of  a  most  abstract  ( most  general,  greatest)  common  refinement  (m.a.c.r.):  the  specification 
Q  is  an  m.a.c.r.  of  the  two  specifications  Qi  and  Q 2  if  Q  is  a  greatest  lower  bound  of  Q 1  and  Q2\ 
that  is, 

(1)  QQQi  and  QCQ2 ,  and 

(2)  for  all  specifications  P,  if  PCQ j  and  PQQ2  then  PQQ. 
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A  specification  formalism  (£,C,-L)  is  a  refinement  structure  if  every  pair  of  specifications  has 
an  m.a.c.r.  Two  specifications  Q\  and  Q 2  are  equivalent  if  Q1QQ2  and  Q2CQi.  Since  the  refine¬ 
ment  relation  C  need  not  be  antisymmetric,  the  m.a.c.r.  of  two  specifications  is  unique  only  up  to 
equivalence.  For  example,  automata  with  language  inclusion  and  linear  temporal  formulae  with 
logical  implication  are  refinement  structures:  the  m.a.c.r.  of  two  automata  over  a  common  alphabet 
is  the  product  (intersection)  of  both  automata  (unique  up  to  language  equivalence);  the  m.a.c.r. 
of  two  formulae  over  a  common  set  of  variables  is  the  conjunction  of  both  formulae  (unique  up  to 
logical  equivalence). 

From  now  on,  we  shall  freely  interpret  the  equality  symbol  between  two  specifications  of  a 
refinement  structure  as  equivalence.  This  allows  us  to  introduce  an  m.a.c.r.  operation  and  to  write 
Q\  n  Q2  for  “the”  m.a.c.r.  of  Qi  and  Q 2.  The  binary  function  n  is  associative,  commutative, 
idempotent,  and  Q1QQ2  implies  Qi  H  Q2  =  Q\.  It  follows  that  refinement  structures  support 
the  stepwise  design  of  systems:  every  stepwise  refinement  strategy  that,  at  each  step,  computes 
the  m.a.c.r.  of  two  (initial  or  intermediate)  specifications  is  complete  (not  to  mention  that  the 
computation  of  m.a.c.r.s  eliminates  the  problem  of  “guessing”  common  refinements).  In  particular, 
a  stepwise  refinement  strategy  that  computes  m.a.c.r.s  only  may  rely  on  any  control  structure. 

We  conclude  by  pointing  out  that  an  algorithm  for  computing  the  m.a.c.r.  of  two  specifications 
provides  not  only  a  complete  method  for  the  stepwise  design  of  systems,  but  also  a  complete  method 
for  the  verification  of  system  requirements  that  are  given  at  different  levels  of  abstraction:  a  system 
Pi  €  £  satisfies  a  requirement  P2  €  £ — that  is,  P\QP2 — iff  Pi  n  P2  =  Pt. 

2  Trace  refinement  structures 

Language  inclusion  is  a  very  rough  notion  of  refinement  for  trace-based  formalisms.  Typically  one 
wishes  to  refine  the  states  and  actions  of  a  trace  by  introducing  new  auxiliary  variables  [AL8S], 
rather  than  throw  away  the  entire  trace.  Thus  we  assume  that  the  underlying  alphabets  of  states 
and  actions  are  not  flat,  but  themselves  refinement  structures.  We  then  lift  these  refinement 
structures  on  states  and  actions  to  a  refinement  structure  on  behaviors  (infinite  sequences  of  states 
and  actions)  and  a  refinement  structure  on  properties  (stutter-closed  sets  of  behaviors).  Closure 
under  stuttering  allows  us  to  refine  a  single  action  with  a  finite  sequence  of  actions  [Lam83]. 

2.1  Uninterpreted  trace  refinement  structures 

Let  A  =  {«,&,  c, ...}  be  an  alphabet  of  symbols.  Let  C  be  a  binary  relation  on  A  and  let  1  be  a 
symbol  in  A  such  that 

(1)  (-d,C,±)  is  a  refinement  structure  and 

(2)  for  every  symbol  a  €  A  there  exists  a  stutter  symbol  ra  €  A  such  that  for  all  symbols 
a  and  b,  —  Ta  n 

In  particular,  r±  =  ±  for  the  bottom  symbol  ±. 

A  behavior  is  an  infinite  sequence  of  symbols.  We  write  a(i)  for  the  t-th  symbol  of  the  se¬ 
quence  a.  The  behavior  ai  refines  the  behavior  a2  if  all  symbols  of  01  refine  the  corresponding 
symbols  of  a2;  that  is,  anQa2  iff  for  all  i  >  0,  Oi(i)Qa2(i). 

Lemma  1  (^4U,,C,1W)  is  a  refinement  structure.  In  particular,  for  all  i  >  0,  (ai  n  a2)(f)  = 
O'l  (/)  n  <x2{i). 
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A  property  P  is  a  nonempty  set  of  behaviors  that  is  closed  under  stuttering;  that  is,  if  a  is  in  P 
and  a'  results  from  a  by  adding  the  stutter  symbol  ra^  before  the  i-th  symbol  of  a,  for  any  i  >  0, 
then  a1  is  also  in  P.  We  write  £ 4  for  the  set  of  properties.  The  property  P\  refines  the  property 
P2,  written  P\QP2,  if  for  every  behavior  qj  in  Pi  there  exists  a  behavior  a2  in  P2  such  that 
refines  a 2. 

Proposition  1  (£a,  ^,{1"})  is  a  refinement  structure.  In  particular, 

Pi  n  P2  =  {a  |  3ai  €  Pi  .  3a2  €  P2.  a  =  n  a2}. 

We  call  (£_4,C,  {l"})  the  trace  refinement  structure  of  (AC,  !)• 


2.2  The  trace  refinement  structure  of  states 

Let  U  =  {x,  y,z,. . .}  be  a  universe  of  variables.  A  state  ( V,  F )  consists  of  a  set  V  of  variables  from 
U  and  a  function  F  from  V  to  a  set  of  values,  which  contains  the  inconsistent  value  _L.  Given 
a  state  s,  we  write  V3  for  the  variables  of  s  and  F,  for  the  function  of  s.  The  state  s  should  be 
thought  of  (1)  constraining,  by  F3,  the  values  of  the  variables  in  V4,  and  (2)  not  constraining  the 
values  of  the  variables  that  are  not  in  V3.  By  E  we  denote  the  set  of  all  states;  by  Ey,  the  set  of 
states  s  with  V,  =  V. 

If  a  variable  x  is  assigned  the  inconsistent  value  _L,  this  indicates  that  the  entire  state  is  in¬ 
consistent  (cannot  occur).  Let  =  (V',  Ax.X)  be  the  bottom  state  on  V,  and  Sj.  =  slf.  The 

state  s  refines  the  state  t ,  written  sCi,  if  V,  3  Vt  and  for  every  variable  x  in  Vt,  if  Fs(x)  ^  i. 
then  F3(x)  =  Ft(x).  That  is,  s  further  constrains  the  variables  of  t  and  possibly  constrains  other, 
typically  auxiliary,  variables.  Given  a  state  s,  the  stutter  state  ts  is  s  itself. 


Proposition  2  (E,C,5X)  is  a  refinement  str-ucture.  In  particular,  Fsr,{  =  V,  U  Vt  and  for  each 
variable  x  €  Vsr\t, 


Fsnt{x) 


JL  if  x  £  V3  and  x  G  Vt  and  Fs(x)  ^  Ft(x), 

<  F3(x)  if  x  6  V3  and  either  x  £  Vt  or  Fs(x)  =  Ft(x), 
Ft(x)  otherwise. 


Furthermore,  for  all  states  s  and  t,  rsnt  =  r3  n  rt. 


In  other  words,  the  m.a.c.r.  of  two  states  s  and  t  is  the  state  that  does  not  constrain  any 
variables  other  than  the  variables  of  s  and  t,  and  those  are  constrained  in  a  way  that  is  consistent 
with  both  s  and  t  without  being  unnecessarily  restrictive. 

If  we  fix  the  set  V  of  variables  and  consider  only  states  in  Ey,  we  obtain  again  a  refinement 
structure  with  stutter  states.  This  is  because  V,  =  Vt  implies  V3  =  Vsnt,  and  because  VTa  =  Vs. 


Corollary  1  IfV  is  a  set  of  variables,  then  (Eu,C,s^)  is  a  refinement  substructure  o/(S,C,sx)- 
In  particular, 


F3nt(x) 


L  ifF.{x)tFt(x), 
Fs(x)  otherwise. 


It  follows  that  all  results  of  Section  2.1  apply  for  the  set  E  of  states,  as  well  as  for  all  subsets  Ev. 
In  particular,  the  state  refinement  structure  (E,C,sx)  induces  a  refinement  structure  on  state 
behaviors  (infinite  state  sequences)  and  a  trace  refinement  structure  on  state  properties  (stutter- 
closed  sets  of  state  behaviors). 
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2.3  The  trace  refinement  structure  of  actions 

An  action  p  is  a  state  transformation  [Lam9l]  and  can  be  refined  in  two  ways,  (1)  by  further 
constraining  the  effects  of  p  on  its  variables,  and  (2)  by  introducing  new  auxiliary  variables  to 
model  the  execution  of  p  in  greater  detail. 

Formally,  an  action  ( V ,  R)  consists  of  a  set  V  of  variables  from  U  and  a  binary  relation  R  on  Ev 
such  that  (•s^ ,  Given  an  action  p,  we  write  Vp  for  the  variables  of  p  and  Rp  for  the  relation 

of  p.  The  action  p  should  be  thought  of  (1)  constraining,  by  Rp ,  the  ways  in  which  the  variables  in 
Vp  may  change  as  a  result  of  performing  p,  and  (2)  not  constraining  what  happens  to  the  variables 
that  are  not  in  Vp.  By  II  we  denote  the  set  of  all  actions;  by  fly,  the  set  of  actions  p  with  Vp  =  V. 

Two  states  s  and  t  are  consistent  if  they  agree  on  all  common  variables;  that  is,  for  all  x  £  VSD  Vt, 
Fs(x)  =  Ft(x).  Let  R  be  a  binary  relation  on  the  set  Ey  of  states  over  V ,  and  let  V'  be  a  set  of 
variables.  The  adjustment  Rv‘  of  R  to  the  variables  in  V'  is  a  binary  relation  on  Ey<  such  that 
every  pair  of  states  in  Rv‘  agrees  with  a  pair  of  states  in  R  on  the  values  of  all  common  variables; 
that  is,  ( s',t ')  £  Rv>  iff  there  exists  a  pair  (s,t)  of  states  in  R  such  that  s  and  s'  are  consistent, 
and  t  and  t'  are  consistent. 

Let  px[  =  (V,  {(sJl,  «x)})  be  the  bottom  action  on  V,  and  px  =  Px-  The  action  p  refines  the 
action  q,  written  pQq,  if  Vp  D  Vq  and  Rpq  C  Rq ;  that  is,  p  further  constrains  the  variables  of  q  and 
possibly  constrains  other,  typically  auxiliary,  variables.  Given  an  action  p.  the  stutter  action  rp 
consists  of  the  set  Vp  of  variables  and  the  relation  {(s,s))(s,£)  £  Rp };  that  is,  rp  leaves  the  variables 
of  p  unchanged  and  allows  arbitrary  modifications  of  all  other  variables. 

Proposition  3  (II,C,px)  is  a  refinement  structure.  In  particular,  Vpnq  =  Vp  U  Vq  and 

Rpnq  =  RpuV“  n  R}>v*. 

Furthermore ,  for  all  actions  p  and  q,  Tp n,  =  rp  fl  r,. 

In  other  words,  the  m.a.c.r.  of  two  actions  p  and  q  is  the  action  that  does  not  constrain  any 
variables  other  than  the  variables  of  p  and  q,  and  those  are  constrained  in  a  way  that  is  consistent 
with  both  p  and  q  without  being  unnecessarily  restrictive.  The  action  p  (~l  q  should,  therefore,  be 
thought  of  as  the  simultaneous  concurrent  execution  of  both  p  and  q. 

If  we  fix  the  set  V  of  variables  and  consider  only  actions  in  Ily,  we  obtain  again  a  refinement 
structure  with  stutter  actions.  This  is  because  Vp  =  Vq  implies  Vp  =  Vpnq,  and  because  VTp  =  Vp. 

Corollary  2  IfV  is  a  set  of  variables,  then  (Ily,  C,Px)  is  a  refinement  substructure  o/(II,  C.  px  )• 
In  particular,  Rpnq  =  RpC\  Rq. 

It  follows  that  all  results  of  Section  2.1  apply  for  the  set  II  of  actions,  as  well  as  for  all  subsets  II  r. 
In  particular,  the  action  refinement  structure  (II,C,px)  induces  a  refinement  structure  on  action 
behaviors  (infinite  action  sequences)  and  a  trace  refinement  structure  on  action  properties  (stutter- 
closed  sets  of  action  behaviors). 

2.4  From  actions  to  states  and  back 

Now  we  establish  the  connection  between  the  state-based  and  the  action-based  view  and  show  that 
they  are  essentially  equivalent. 

We  use  the  function  Stat  to  translate  action  properties  into  state  properties.  The  state  trans¬ 
lation  Siat[7r]  of  an  action  behavior  7r  contains  the  infinite  state  sequence  o  if  for  all  i  >  0,  there 
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is  a  pair  of  states  (si,t;)  in  R*(i)  such  that  o(0)  =  s0  and  for  i  >  0,  i  and  s,  are  consistent  and 
a(i)  -  <i_i  n  Si- 

Consider,  for  example,  the  behavior  tc  =  ppqq . . .  with 

Vp  =  {z},  and  (s,f)  €  Rp  iff  F((z)  =  F3( x)  +  1; 

Vq  =  {j/},  and  (s,t)  <=  Rq  iff  Ft(y)  =  F,(y)  +  1; 

that  is,  p  increments  the  variable  x  and  q  increments  the  variable  y.  Then  Staf[7r]  contains  a  state 
sequence  whose  first  four  states  are  (z:  5),  (z:  6),  (z:  7,y:  0),  and  (y:  1). 

The  state  translation  Stat[P]  of  an  action  property  P  is  the  stutter  closure  of  the  set 

{(T  j  37r  g  P.  o  €  Stat[:r]} 

By  definition,  5tat[P]  is  closed  under  the  stuttering  of  states. 

Proposition  4  The  state  translation  Stat  is  a  homomorphism  from  the  trace  refinement  structure 
o/(n,C,pi)  to  the  trace  refinement  structure  of  (E,  C, s±). 

We  use  the  function  Act  to  translate  state  properties  into  action  properties.  The  action  trans¬ 
lation  .4c£[er]  of  a  state  behavior  o  is  an  infinite  action  sequence  tc  such  that  for  all  i  >  0, 
Vj(i)  =  Pff(i)  U  and 

Rj(i)  =  {(M)  I  Vz  6  Va(i).  Ffix)  =  1  or  F,(x)  =  Fa{l)(x) 
and 

Vz  €  V^p+i).  Ft(x)  =  1  or  Ft(x)  =  Fa{i+l)(x)}. 

The  action  translation  Act[P]  of  a  state  property  P  is  the  stutter  closure  of  the  set 

{7r  |  3<r  €  P.  tc  =  Act[o\} 

Again  by  definition,  Act[P ]  is  closed  under  the  stuttering  of  actions. 

Proposition  5  The  action  translation  Act  is  a  homomorphism  from  the  trace  refinement  structure 
o/(£,C,sx)  1°  the  trace  refinement  structure  o/(II,C,px). 

3  Specification  Language  1:  Automata 

We  use  Muller  automata  to  specify  properties. 

A  Muller  automaton  M  =  (5, 5°,  E,  F)  over  the  input  alphabet  A  consists  of  a  finite  set  S  of 
control  locations,  a  set  5°  C  5  of  start  locations,  a  function  E  :  5  x  S  — *•  A  that  assigns  input 
symbols  to  all  transitions,  and  a  set  F  C  2s  of  acceptance  sets.  If  E(r,r')  =  a,  then  the  automaton 
can  change  the  control  location  from  r  to  r'  by  reading  the  symbol  a.  A  behavior  a  is  a  run  of  M 
if  there  exists  an  infinite  sequence  p  of  control  locations  such  that 

(1)  />(0)  is  a  start  location  (p(0)  €  5°), 

(2)  for  all  i  >  0,  the  transition  from  p(i)  to  p(i  +  1)  is  labelled  with  a(i)  ( E(p(i),p{i.  + 

1))  =  <*(*))>  and 

(3)  the  set  of  control  locations  that  occur  infinitely  often  in  p  is  in  F. 

Let  L(M )  be  the  set  of  runs  of  M. 

The  transition  label  1  indicates  the  absence  of  a  transition.  Given  a  set  L  of  sequences,  let  [L] 
be  the  maximal  subset  of  L  that  does  not  contain  a  1  symbol.  The  language  of  the  automaton  M , 
then,  is  the  set  [L(M)]  of  runs  that  do  not  contain  1. 


6 


3.1  The  most  abstract  common  refinement  of  automata 

The  property  P(M)  that  is  defined  by  the  Muller  automaton  M  is  the  stutter  closure  of  the 
set  L(M)  of  runs.  We  write  for  the  set  of  properties  that  are  definable  by  Muller  automata 
over  the  alphabet  A.  The  constructive  proof  of  the  following  theorem  provides  a  method  for  the 
stepwise  design  of  systems  from  requirements  that  are  given  as  Muller  automata. 

Theorem  1  is  closed  under  n.  In  particular,  given  two  Muller  automata  M i  =  (5i,  S°,  E\,  Fi) 
and  Mi  =  (S2,  S$,  E2,  F2), 

P(Mi  n  m2)  =  P(M\)  n  P(m2) 
for  the  Muller  automaton  M\  n  M2  =  (5,  5°,  E ,  F)  with 

S  =  Si  x  S2, 

So  =  5°  x  S2, 

=  Ei(n,r[)r\  E2(r2,r'2), 

F  =  {R  |  72 j  €  F\  and  R2  €  F2}, 

where  R,,  for  i  =  1,2,  is  the  i-th  projection  of  the  set  R  of  pairs. 

Corollary  3  (£^4,  Q,  {l4*'})  is  a  refinement  substructure  of  the  trace  refinement  structure  of  (A,  0, 1). 

Suppose  that  we  interpret  the  input  symbols  as  actions.  The  m.a.c.r.  M \  n  M2  of  two  automata 
Mi  and  M2  performs,  then,  an  an/i  action  iff  M i  performs  an  a  action  and  M2  performs  a  b  action. 
The  fl  operation  on  automata,  therefore,  is  a  generalized  product  operation.  Indeed,  standard 
product  operations  are  special  cases. 

Most  abstract  common  refinement  as  communicating  composition.  The  communicating 
product  M  of  two  automata  Mi  and  M2  performs  an  a  action  iff  both  Mi  and  M2  perform  a  actions; 
that  is,  L{M)  —  L(Mi )  n  L(M2).  The  communicating  product  is  the  m.a.c.r.  of  two  automata  if 
the  underlying  refinement  structure  (./4,C,l)  is  flat: 

(1)  for  all  actions  a  and  6,  if  aC6  then  a  =  6  or  a  =  1,  and 

(2)  for  all  actions  a,  ra  =  1. 

Condition  (1)  ensures  that  no  two  distinct  executable  actions  have  an  executable  common  refine¬ 
ment;  condition  (2)  ensures  that  no  executable  action  of  one  automaton  can  be  performed  together 
with  a  stutter  action  of  the  other  automaton. 

Most  abstract  common  refinement  as  truly  concurrent  composition.  The  truly  concurrent 
product  of  two  automata  Mi  and  M2  performs  an  (a,  6)  action  iff  Mi  performs  an  a  action  and  M2 

performs  a  b  action.  The  truly  concurrent  product  is  the  m.a.c.r.  of  two  automata  if  the  underlying 

refinement  structure  (>l,C,l)  has  products: 

(1)  for  all  actions  a  and  6,  a  n  b  =  (a,  6), 

(2)  for  all  actions  a  and  6,  (a,  6)  =  1  iff  a  =  1  or  6=1,  and 

(3)  for  all  actions  a,  ra  =  1. 

Most  abstract  common  refinement  as  interleaving  composition.  The  interleaving  product 
M  of  two  automata  Mi  and  M2  performs  an  a  action  iff  either  Mi  performs  an  a  action  and  M2 
performs  a  stutter  action,  or  vice  versa.  The  interleaving  product  is  the  m.a.c.r.  of  two  automata 
if  the  sets  of  actions  A\  and  A2  of  the  two  automata  are  disjoint,  every  location  contains  a  self- 
loop  transition  labelled  with  a  stutter  action  and  stutter  actions  label  only  self-loops.  Finally,  the 
underlying  refinement  structure  has  products: 
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(1)  for  all  actions  a  €  >Ii  («42)  and  6  G  -42  if  a  is  a  stutter  action  then  a  n  6  =  b, 

(2)  for  all  actions  a  6  Ai  and  b  6  -42,  if  both  a  and  b  are  not  stutter  actions  then 

o  n  6  =  i. 

The  following  example  illustrates  that,  in  general,  the  most  abstract  common  refinement  of 
two  automata  is  perhaps  best  viewed  not  as  a  product,  but  as  the  “most  general  unifier”  of  the 
transition  graphs. 

3.2  Example:  stepwise  watch  design 

Consider  a  watch  that  has  three  modes  of  operation:  Display ,  Update ,  and  Stopwatch.  We  define 
the  watch  by  three  Muller  automata.  While  each  of  the  three  automata  specifies  the  entire  watch, 
it  provides  details  only  for  one  mode  of  operation.  The  m.a.c.r.  of  the  three  automata,  then,  and 
not  the  product,  is  a  suitable  implementation  of  the  watch. 

The  Display  mode  and  its  connections  to  the  other  modes  are  specified  by  the  automaton 
Md  =  ( Sd ,  Sd,  Ed,  Fd )  of  Figure  1  (we  write  {r}  U  2s  short  for  {{r}  U  R  |  R  €  2s}).  For  simplicity 
we  omit  in  Figure  1  and  in  the  following  figures  self-loops  of  the  automata  labelled  with  stutter 
actions.  Thus,  assume  that  if  a  transition  labelled  a  starts  at  location  s  then  s  has  a  self-loop 
transition  labelled  with  ra.  To  reduce  the  size  of  Md,  we  assume  that  the  watch  always  displays 
one  of  only  three  possible  time  values;  they  are  represented  by  the  locations  So>  $i,  and  s2 .  Time 
advances  with  tic  actions.  The  watch  has  two  control  buttons,  cb j  and  ci>2.  When  cb \  is  pressed, 
the  watch  switches  from  Display  mode  to  Update  mode  (location  s4),  and  back,  via  the  action  ao, 
«!,  or  a2.  The  second  button  d>2  causes  a  switch  to  Stopwatch  mode  (location  S3),  and  back,  via 
the  action  b0,  bi,  or  62.  The  action  x  abstractly  represents  any  actions  of  the  watch  while  it  is  not 
in  Display  mode. 

The  Update  mode  and  its  connections  to  the  other  modes  are  specified  by  the  automaton 
Mu  =  ( SU,S®,EU,FU )  of  Figure  2.  In  locations  wo,  Wi,  and  tn2,  time  advances  with  tuc  actions. 
When  c62  is  pressed,  the  watch  decrements  time  (action  d).  The  action  y  abstractly  represents  any 
actions  of  the  watch  while  it  is  not  in  Update  mode  (location  m3). 

The  Stopwatch  mode  and  its  connections  to  the  other  modes  are  specified  by  the  automaton 
Ms  =  ( Ss ,  S®,  E,,  F,)  of  Figure  3.  In  locations  m\  to  mg,  time  advances  with  tac  actions,  updating 
both  the  time  and  the  stopwatch  counter.  Since  the  stopwatch  can  be  initiated  at  any  of  the 
three  possible  time  values,  there  are  nine  possible  locations.  The  action  z  abstractly  represents  any 
actions  of  the  watch  while  it  is  not  in  Stopwatch  mode  (location  mo). 

In  addition  to  the  three  automata  we  are  also  given  a  refinement  relation  C  on  the  actions.  The 
refinement  relation  for  the  actions  of  Md  and  Afu  is  shown  in  Figure  4  (we  omit  the  bottom  and 
the  stutter  actions).  Figure  4  also  presents  the  most  abstract  common  refinement  Md  n  Mu  of  the 
two  automata  Md  and  Mu.  The  m.a.c.r.  automaton  has  a  transition  graph  similar  to  the  transition 
graph  of  the  Display  automaton  Md,  except  that  location  s4,  which  represents  the  Update  mode, 
has  some  inner  structure.  The  transition  graph  of  Md  n  Mu  is  also  similar  to  the  transition  graph 
of  the  automaton  Mu,  except  that  location  wg  has  some  inner  structure.  The  complete  watch  M 
is  obtained  by  taking  the  m.a.c.r.  of  the  two  automata  Md  n  Mu  and  Ms  (see  the  full  paper). 

Now  assume  that  after  the  completion  of  the  watch  design,  we  decide  to  produce  an  improved 
model  by  doubling  the  precision  of  the  stopwatch  component.  The  automaton  of  Figure  5 
specifies  the  new  stopwatch  component.  Figure  5  also  shows  the  refinement  relation  for  the  actions 
of  the  old  and  the  new  stopwatch  components.  We  need  not  construct  the  new  watch  from  scratch. 
Rather,  we  first  prove  that  M'  refines  Ms — that  is,  P(M'S)CP(MS) — and  then  take  the  m.a.c.r. 
of  the  old  watch  M  and  the  new  stopwatch  component  M's.  To  prove  that  P(M'S)CP(MS),  it 
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suffices  to  show  that  the  two  Muller  automata  Ma  n  Ms  and  Ma  define  the  same  properties  (trace 
equivalence). 

4  Specification  Language  2:  Temporal  Logic 

We  introduce  a  linear  temporal  logic,  called  TLn,  to  specify  properties.  The  novelty  about  TLn  is 
that  it  contains  an  m.a.c.r.  operator  and  therefore  supports  the  refinement  of  formulae. 

4.1  A  temporal  logic  with  a  most-abstract-common-refinement  operator 

Let  2^  be  a  set  of  atomic  formulae.  Every  atomic  formula  $  defines  a  set  |$J  of  symbols  from  A. 
An  atomic  formula  $  is  stutter  closed  if  for  every  a  €  ff$J,  ra  is  also  in  |$|. 

The  temporal  formulae  4-  of  TLn  are  defined  by  the  following  grammar: 

4-  ::=  <j>  |  □[$]  (  D4  1  04-  (  n  $2  I  1, 

where  <p  and  $  are  atomic  formulae  and  <j>  is  stutter  closed.  Stutter  closed  atomic  formulae  are 
typically  used  to  specify  the  initial  conditions  of  a  system;  boxed  atomic  formulae,  to  specify 
the  transition  relation;  temporal  operators,  to  specify  the  fairness  assumptions  (since  TLn  lacks 
negation  on  the  temporal  level,  both  □  and  O  are  given).  The  m.a.c.r.  operator  n,  finally,  is 
typically  used  to  combine  several  specifications  of  a  system. 

The  TLn-formula  $  defines  the  set  {4-]]  of  behaviors: 


a 

€ 

m 

iff 

«(0)  6  !</>!; 

a 

€ 

!□[*]] 

iff 

for  all  t  >  0,  a(t)  =  ra(i+l)  or  a(i)  €  |$|; 

a 

€ 

[□*] 

iff 

for  all  t  >  0,  a[t..]  €  [4-]]; 

a 

€ 

[0*1 

iff 

for  some  :  >  0,  a[»..]  €  [*]; 

a 

€ 

[*in*al 

iff 

a  e  Mn  f^l; 

a 

€ 

I-LJ 

iff 

a  = 

where  a[i..]  denotes  the  infinite  suffix  that  begins  with  the  i-th  symbol  of  the  sequence  a. 

Lemma  2  For  every  TLn-formula  4-,  the  set  j[4-]  is  a  property  (i.e.,  I'Kfl  is  closed  under  stuttering). 

A  judgment  of  TLn  is  an  expression  of  the  form  for  TLn-formulae  $1  and  $2-  The 

TLn-judgment  4-iC4i  is  true  if  |[$i]£[¥2]-  (The  judgments  of  ordinary  logic,  by  contrast,  are  of 
the  form  |=  $,  which  is  true  if  the  formula  $  is  valid.) 

TLn-judgments  are  used  to  assert  correctness  conditions  of  systems.  Suppose,  for  example, 
that  we  have  a  list  4,j,...,4ln  of  system  requirements  and  we  wish  to  prove  that  every  system 
that  satisfies  these  requirements  also  satisfies  4-.  This  correctness  condition  is  asserted  by  the 
TLn-judgment 

$1  n  ...  n  4-„  c  4-. 


4.2  TLn  versus  TLA 

To  compare  TLn  with  TLA  [Lam91j,  we  interpret  TLn-formulae  over  action  properties. 

An  action  formula  $  is  a  boolean  expression  over  a  set  V ar($)  of  variables  that  may  occur  in 
$  either  primed  or  unprimed.  An  action  formula  $  is  a  state  formula,  if  only  unprimed  variables 
occur  in  4. 


9 


The  action  formula  $  defines  the  action  a$  such  that  Va#  =  Var(4>),  and  ( s,t )  €  Ra*  iff 
$  evaluates  to  true  when  every  unprimed  variable  x  is  interpreted  as  Fs(x)  and  every  primed 
variable  x'  is  interpreted  as  Et(x).  For  example,  (s,t)  €  |y  =  0  A  x'  =  x  +  lj  iff  Var(s)  =  Var(t)  = 
{x,y}  and  Fs(y)  =  0  and  F<(x)  =  Fs(x)  +  1. 

The  action  formula  $  defines  the  set  of  actions  |[$J  that  consists  of  the  action  a<j,  and  if  $ 
is  a  state  formula  then  |$]j  also  contains  the  stutter  action  rat.  If  the  atomic  formulae  of  TLn 
are  action  formulae  and  the  stutter  closed  atomic  formulae  of  TLn  are  state  formulae,  then  every 
TLn-formula  defines  an  action  property.  We  call  the  resulting  logic  TLAn. 

Let  $  be  a  TLAn-formula,  and  let  Con[ 'P]  be  the  TLA-formula  that  results  from  $  by  replacing 
all  m.a.c.r.  operators  n  with  conjunctions  A  and  by  replacing  all  occurrences  of  _L  with  the  truth 
value  false.  Every  TLA-formula  cf>  defines  a  state  property  fd>|  [Lam91].  For  a  TLAn-formula  let 
I't]0  be  the  adjustment  of  all  state  behaviors  in  Siat[|'P|]  to  the  universe  of  variable  U.  That  is, 
if  (Vo,  Fo)(Vj,  F\) . . .  6  5<«t[|['Pj]  then  (ZV,  Fq){U,  F^f) ...  €  I$]]n,  where  F1*  is  an  extension  of  the 
function  F  to  the  domain  U. 

Theorem  2  For  every  TLAn-formula  JCon[4,]J  C 

The  converse  of  this  theorem  is  not  true.  Consider,  for  example,  the  universe  U  —  {x,y}  of 
variables  and  the  two  specifications  'f'x  =  0[x'  =  x  -f  1]  and  $2  =  ciV  =  y  +  1].  While  the  behavior 

(x :  3,  y :  5),  (x :  4,  y :  6),  (x :  4,  y :  7),  (x:  4,  y :  8), . . . 
is  a  model  of  the  TLAn-formula  n  \I>2,  it  is  not  a  model  of  the  TLA-formula  A  $2- 

4.3  Example:  verification  of  the  watch  design 

In  proving  that  property  P  refines  property  Q  it  is  often  convenient  to  define  property  P  by  a 
formula  of  the  form  n  Formula  defines  only  the  behavior  of  the  more  refined  variables 
of  P  and  the  formula  set  the  connection  among  the  variables  Q  and  the  variables  of  ty'.  Let 
us  consider  again  the  watch  example  in  Section  3.2.  In  Figure  6,  we  present  a  temporal  formula 
Stopwatch  1  that  defines  the  first  (more  abstract)  version  of  the  stopwatch.  The  Stopwatchl  formula 
is  defined  over  the  variable  t  (the  current  time)  that  ranges  over  the  values  {0, 1,2},  the  variable  st 
(the  current  time  of  the  stopwatch)  that  ranges  over  the  values  {0, 1,2}  and  the  variable  mstw  (the 
mode  of  the  watch)  that  ranges  over  the  values  {sZu;,  nstw}.  In  Figure  6  we  also  present  a  temporal 
formula  Stopwatch'2  that  defines  the  second  version  of  the  stopwatch.  This  formula  is  the  m.a.c.r. 
of  two  subformulas:  't'  refers  only  to  the  variables  dt  (the  current  time),  dst  (the  cuv  nt  time  of 
the  stopwatch)  and  mstw  (the  mode  of  the  watch),  where  the  variables  dt  and  dst  range  over  the 
values  {0.0, 0.5, 1.0, 1.5, 2.0, 2.5}.  The  second  subformula  defines  the  connection  between  the 
variables  t  and  dt  and  the  variables  st  and  dst. 

We  use  the  following  sound  rule  to  prove  that  Stopwatch2CStopwatchl: 

$1  A  $3  =>  $1 

(($2  V  r$2)  A  $3)  =>  ($2  V  r*2) 

$3  =>  ^3 


(#inn[*2]no#3)  c  ($1  n  □[$2]  n  d$3) 

where,  $3  and  $3  are  state  formulae,  r$  =  ( enable^ )  A  /\x^var(<t)x  =  z')1  an(i  =►  is  logical 
implication. 

'The  predicate  ena6/e($)  [Lam91]  evaluates  to  true  in  state  s  iff  there  exists  a  state  t  such  that  <1>  evalu.it*  '  t*> 
true  at  ( s ,  t). 
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The  premises  of  the  above  rule  require  proving  simple  first  order  validities  (see  the  full  paper). 


5  Discussion:  Most  Abstract  Common  Refinement  versus  Mod¬ 
ular  Refinement 

Traditional  stepwise  refinement  strategies  are  linear  rather  than  tree-like:  one  constructs  a  sequence 
of  refinement  steps  Pi’DPi'D  ■  •  •  3-Pn  moving  gradually  from  the  most  abstract  specification  Pi 
to  the  most  concrete,  perhaps  executable,  specification  Pn.  Since  tne  complexity  of  verifying 
a  refinement  step  Pi+iQP,  depends  on  the  sizes  of  Pi  and  Pi+i,  modular  refinement  strategies 
have  been  proposed  [Bac89,  Ger89,  Jon89].  The  modular  approach  first  develops  (refines)  system 
components  independently,  and  then  integrates  the  refined  components  into  a  single  system. 

The  modular  approach  has  two  properties  that  limit  its  scope  of  applicability.  Neither  limitation 
is  shared  by  m.a.c.r.-based  refinement  strategies. 

First,  in  the  modular  approach,  the  refinement  relation  must  be  a  precongruence  to  guaran¬ 
tee  that  the  system  that  results  from  integrating  the  refined  parts  is  a  refinement  of  the  initial 
specification.  Formally,  for  every  context  C[-]  of  the  specification  language,  Q1QQ2  must  imply 
C[Q \}QC[Q'i}-  Second,  in  the  modular  approach,  the  decomposition  of  a  specification  is  driven 
by  the  structure  of  the  specification.  For  example,  if  the  top-level  of  a  specification  is  a  parallel- 
composition  operator,  then  both  processes  must  be  developed  independently. 

In  [YVLL88]  a  lattice-structured  refinement  strategy  is  presented.  According  to  this  strategy, 
several  specifications  of  the  system  are  developed  at  different  levels  of  abstraction  and  the  lattice 
represents  the  refinement  relation  among  these  specifications.  Our  refinement  strategy  differs  from 
that  in  [YVLL88]  in  eliminating  the  problem  of  “guessing”  common  refinement,  we  construct  a 
common  refinement  using  the  m.a.c.r  operator. 
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Fd  =  {{sO,sl,s2},{M}u2v\{s3}U‘2'v 
where  W  —  {5O,  .  .  . ,  54} 


Figure  1:  The  Md  automaton 
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Fu  =  {2W  -  0} 

where  W  =  {luO,  tul,  U)2,  U(3} 


Figure  2:  The  Mu  automaton 
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Fs  =  {{ml,m2,  m3},{m4,  ro5,  m6},{m7,  m8,  m9},{raO}U2u/} 
where  W  =  {mO, .  . . ,  m9} 

Figure  3:  The  M,  automaton 
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Stopwatch  version  1: 

tac  =  matw  =  stw  A  t'  =  (t  +  1):  mod:  3  A  st'  =  (st  +  1):  mod:  3  A  m'atw  =  matw 

/o  =  t  =  0  A  ((matw  =  nstw  A  m'<tu  =  stw  A  st'  =  0)V 

(m3tw  =  stw  A  m'(tB  =  nstw  A  st'  =  st))  A  t'  =  t 

fx  =  t  =  1  A  ((mstw  =  nstw  A  m'(u,  =  stw  A  si'  =  0))V 

( matw  =  stw  A  m'atw  —  nstw  A  st'  =  st))  At1  =  t 

/2  =  t  =  2  A  =  nstw  A  matw  ~  stw  A  st'  =  0))V 

(matw  =  stw  A  m'atw  —  nstw  A  st'  =  st))  At'  =  t 

z  =  {malw  -  nstw)  A  (m'aiw  =  m3tu() 

The  Stopwatch 1  formula  is: 

(t  =  0  A  st  =  0  A  matw  =  nstw)  fl 
□  [tac  V  /o  V  /i  V  /2  V  2] 


Stopwatch  version  2: 

dfacl  =  |dtj  =  dt  A  dt'  =  (dt  +  0.5) :  mod :  3  A  dst'  =  (dst  +  0.5) :  mod :  3  A  m'stw  =  matw 

dtac2  =  [dt\  ^  dt  A  dt'  =  (dt  +  0.5) :  mod :  3  A  dst'  =  (dst  +  0.5) :  mod :  3  A  m'stw  =  m3tw 

df0  =  [dt]  =  0  A  =  nstw  A  m'3tw  =  stw  A  dst'  =  0)V 

(m^u,  =  stw  A  m'4u)  =  nstw  A  dst'  =  dst))  A  dt'  =  dt 
dfx  =  |dfJ  =  1  A  ((matw  =  nstw  A  m'tu,  =  stw  A  dst'  =  0)V 
( matw  =  stw  A  matvj  =  nstw  A  dst'  =  dst))  A  dt'  —  dt 
d/2  =  [d*J  =  2  A  ((m3tlu  =  nstw  A  m'tlu  =  stw  A  dst'  =  0)V 

(mat w  =  stw  A  m'atw  =  nstw  A  dst'  =  dst))  A  dt'  =  dt 
dz  =  (m^u,  =  nstw)  A  ( mat1v  =  matw) 

The  Stopwatch 2  formula  is:  n  where 

=  (dt  =  0  A  dst  =  0  A  matu,  =  nstw)  n 
□  [dtacl  V  dtca2  V  d/0  V  dfx  V  d/2  V  dz] 

and 

$"=  D(t  =  [dtj  A  st  =  |dstj) 

Figure  6:  Stopwatch  versions  in  TLAn 
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